Let's face it; firewalls are a huge issue. Whether we’re kicked back at home surfing for the next best find or diligently working on our company's network infrastructure, we all need to practice safe computing and good network protection. For some, this protection comes at a high intellectual price. For others, it's a challenge to look forward to.
Regardless of how you feel about setting up a network firewall, Lokkit will surely change your mind about the complexity of the issue. Though not the best choice for a larger company, this tool will serve the single user and the small-shop network very well. This Daily Feature will introduce you to Lokkit and show you how easy setting up a Linux firewall can be.
For many Linux old-timers, Lokkit will be far too simplistic and not nearly granular enough. For those new to the operating system (as either server or desktop), Lokkit should prove to be everything you need to get a basic firewall up and running in no time and with no sweat.
What it is, what it was, and what it shall be
What is Lokkit? Simply put, it’s a graphical front end for the configuration (that comes on almost all newer GNOME desktop installations) of ipchain rulesets. This front end works as a wizard and asks the user questions regarding the machine's use.
The Lokkit tool was written to work for the typical dial-up and cable modem user. This tool will not configure user-defined firewalls, other than those securing the DHCP, httpd, smtp, ssh, and telnet services.
When you open services with Lokkit, you are opening them to the world so choose them wisely!
If you need any other services open, you will have to manually add those chains to your rulesets. If you are interested in learning more about ipchains, take a look at my earlier Daily Drill Down: ”ipchains: A painless way to ensure networking security.” If the aforementioned services are the ones you need to leave open, read on, Macduff, and learn how to set up your Linux firewall in a matter of seconds.
As with all good security tools, you must run Lokkit as root. There are two types of Lokkit tools: Lokkit (curses or text-based) and gnome-lokkit (GUI-based). For the purposes of this Daily Feature, we are going to use gnome-lokkit.
To start the gnome-lokkit tool, you must first su to root with the command su -. (The dash is necessary as it gives you rights to root’s $PATH environment variables as well.) Once you give root’s password, you then run either:
For this example, we’ll enter the gnome-lokkit command. Once you issue the command, you’ll be greeted by a warning asking if you want to "ovverride your old firewall configuration" (the application’s spelling, not mine). Click Yes to click through the splash screen. Now you are about to discover why Lokkit is such a great tool for quick-and-dirty firewalls (emphasis on quick). The splash screen is followed by eight screens. Each asks a single question. The first question asks whether Lokkit should trust the hosts attached to the detected Ethernet card (in our example, eth0) (see Figure A).
|Although Lokkit wants you to close off your link to the outside world, it will only block you from getting out if you tell it not to trust machines on the given networking device.|
Click Next. You will be asked whether you use DHCP on any of your interfaces. Clicking Yes here will allow any machines on the trusted network access to the BOOTPC (port 68) and BOOTPS (port 67) ports. Clicking No will disable access to these ports.
The next screen asks whether you want to enable access to incoming services on the machine. If you wish to allow certain services into this local machine, select Yes and click Next.
The Web server service is configured first. Select Yes to allow access to port 80 (http) or No to deny access.
Next is incoming SMTP delivery. You don’t need to enable this service if you are simply downloading mail from an ISP's mail server or using a tool such as fetchmail. Select Yes to allow access to the SMTP port (port 25) or No to deny access.
Secure shell (ssh) is the next protocol to be selected. If you select Yes, you’ll allow incoming traffic access to the ssh port (22). Select No to deny it.
Telnet is the final victim to allow or disallow. I strongly advise you not to allow telnet access; opt for the more secure ssh option. Select No (to disable access to port 23) and move along.
After you've selected the desired services, click Finish to tell Lokkit to activate the firewall. Depending on which services you've allowed, you may or may not see the Mail Services Are Enabled (Checking For Relaying), Beginning Mail Test, and EOF (End Of File) – Passed pop-up windows. These windows will not appear if you've disabled incoming SMTP traffic. (Fancy that!)
Once the command prompt has returned, your firewall is up and running. You can test the firewall by issuing the ipchains -L command. The firewall we’ve configured looks like this (when ipchains -L is run).
Although not recommended for enterprise-level security, Lokkit is a great tool for single users to small-scale networks needing to get a modicum of security up very quickly. If you are just getting into Linux security, Lokkit is a great way to learn the ropes with ipchains. If you know ipchains already, Lokkit lets you get a simple firewall up fast.
Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.